← 返回 Skills 市场

Enterprise AI Security Controls Assessment

Name: Enterprise AI Security Controls Assessment
Author: krishnakumarmahadevan-cmd

作者 ToolWeb · GitHub ↗ · v1.2.0 · MIT-0

cross-platform ⚠ suspicious

229

总下载

当前安装

版本数

在 OpenClaw 中安装

/install enterprise-ai-security-controls-assessment

功能描述

Assess OT/ICS security posture across 30 controls in 6 principles — Business Driven, Risk Based, Enterprise Wide, Methodical, OT Security Focused, and OT Sec...

使用说明 (SKILL.md)

Enterprise AI Security Controls Assessment

Assess your organization's AI security posture across 12 enterprise domains — Identity & Access, Data Protection, Prompt Injection Defense, Model Protection, API Security, Agent Permissioning, Output Filtering, Monitoring & Anomaly Detection, Compliance Mapping, Incident Response, Encryption & KMS, and Risk Intelligence. Each domain covers 5 controls (60 total) and produces prioritized remediation guidance.

Usage

{
  "tool": "enterprise_ai_security_controls_assessment",
  "input": {
    "organization_name": "Acme Corp",
    "industry": "Financial Services",
    "ai_maturity": "intermediate",
    "domains_to_assess": ["identity_access", "prompt_injection_defense", "api_security"],
    "current_controls": {
      "identity_access": {
        "mfa_enabled": true,
        "rbac_implemented": false,
        "service_account_rotation": "manual"
      },
      "prompt_injection_defense": {
        "input_validation": "basic",
        "system_prompt_hardening": false,
        "canary_tokens": false
      }
    }
  }
}

Parameters

Parameter	Type	Required	Description
`organization_name`	string	✅	Name of the organization being assessed
`industry`	string	✅	Industry vertical (e.g., Financial Services, Healthcare, Retail)
`ai_maturity`	string	✅	Current AI maturity level: `beginner`, `intermediate`, `advanced`
`domains_to_assess`	array	❌	Subset of domain keys to assess. Omit to assess all 12 domains
`current_controls`	object	❌	Key-value map of existing controls per domain (see domain keys below)

Domain Keys

Key	Domain
`identity_access`	Identity & Access Control
`data_protection`	Data Protection
`prompt_injection_defense`	Prompt Injection Defense
`model_protection`	Model Protection
`api_security`	API Security
`agent_permissioning`	Agent Permissioning
`output_filtering`	Output Filtering
`monitoring_anomaly`	Monitoring & Anomaly Detection
`compliance_mapping`	Compliance Mapping
`incident_response`	Incident Response
`encryption_kms`	Encryption & Key Management (KMS)
`risk_intelligence`	Risk Intelligence

What You Get

Domain-by-domain scorecard — maturity rating per domain (Initial / Developing / Defined / Managed / Optimizing)
Control gap analysis — which of the 60 controls are missing, partial, or implemented
Prioritized remediation roadmap — Quick Wins (0–30 days), Medium-term (30–90 days), Strategic (90+ days)
Compliance alignment — mapped to NIST AI RMF, ISO 42001, SOC 2, and GDPR where applicable
Executive summary — board-ready summary of AI security posture

Example Output

{
  "organization": "Acme Corp",
  "overall_maturity": "Developing",
  "overall_score": 42,
  "domain_scores": {
    "identity_access": { "score": 60, "maturity": "Defined", "gaps": 2 },
    "prompt_injection_defense": { "score": 20, "maturity": "Initial", "gaps": 4 },
    "api_security": { "score": 55, "maturity": "Developing", "gaps": 2 }
  },
  "top_risks": [
    "No system prompt hardening exposes models to override attacks",
    "RBAC not implemented — lateral movement risk across AI services",
    "No canary token monitoring for prompt exfiltration"
  ],
  "quick_wins": [
    "Enable RBAC on all AI service accounts (3 days)",
    "Deploy input sanitization layer before LLM endpoints (7 days)",
    "Rotate all AI API keys and set expiry policies (1 day)"
  ],
  "compliance_gaps": ["NIST AI RMF: GOVERN-1.1", "ISO 42001: 6.1.2", "SOC 2: CC6.1"]
}

API Reference

Base URL: https://portal.toolweb.in/apis/security/entaisecconass

Endpoint	Method	Description
`/`	GET	Health check
`/api/ai-security/assess`	POST	Run full assessment
`/api/ai-security/domains`	GET	List all 12 domain definitions
`/api/ai-security/domain/{domain_key}`	GET	Get details for a specific domain

Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.

Pricing

Plan	Daily Limit	Monthly Limit	Price
Free	5 / day	50 / month	$0
Developer	20 / day	500 / month	$39
Professional	200 / day	5,000 / month	$99
Enterprise	100,000 / day	1,000,000 / month	$299

About

ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise AI security practitioners.

Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube

安全使用建议

This appears to be an external API-backed assessment tool, but there are a few red flags to resolve before installing: (1) Ask the publisher to clarify the discrepancy between the initial metadata (30 controls / 6 principles) and the SKILL.md (12 domains / 60 controls). (2) Confirm how the API key should be supplied — demand an explicit required-env declaration (for example, ENTERPRISE_ASSESSMENT_API_KEY) or integration with your secret manager; do not paste org secrets into free-form prompts. (3) Verify the external endpoint (portal.toolweb.in) and the publisher identity (toolweb.in) — check TLS certs, WHOIS, company pages, and references to ensure it's a legitimate vendor. (4) Consider privacy: the skill will transmit organizational security posture data to a third party; test with non-sensitive sample data first and review the vendor's data handling / retention policies and pricing limits. (5) If you need to allow network calls only to approved endpoints, restrict them to the vendor domain and require the vendor to document required headers, scopes, and a least-privilege key. If these clarifications are not provided, treat the skill as untrusted and avoid sending real organizational secrets or sensitive configuration data.

功能分析

Type: OpenClaw Skill Name: enterprise-ai-security-controls-assessment Version: 1.2.0 The skill bundle consists of documentation (SKILL.md) and metadata (_meta.json) for an AI security assessment tool. It defines an interface for an AI agent to send organizational security posture data to a third-party API (portal.toolweb.in) to generate a maturity report. The behavior is transparent and aligned with its stated purpose of security auditing, with no evidence of malicious code, hidden instructions, or unauthorized data exfiltration.

能力评估

ℹ Purpose & Capability

The SKILL.md describes an enterprise AI security assessment (domains, scoring, remediation) which aligns with the skill name. However the top-level metadata/description provided to the evaluator ("30 controls in 6 principles") contradicts the SKILL.md (12 domains, 60 controls). Also the skill expects an external assessment API (portal.toolweb.in), which is plausible for this purpose but should have been declared as an external dependency or credential requirement.

⚠ Instruction Scope

Runtime instructions are instruction-only and call a third-party API (portal.toolweb.in) and expect an API key (X-API-Key or mcp_api_key). The SKILL.md does not instruct the agent to read local files or unrelated environment variables, which is good, but it does direct potentially sensitive organizational data to an external endpoint without declaring how that credential is supplied or scoped.

✓ Install Mechanism

No install spec or code files are present (instruction-only). This minimizes filesystem/write risk; there is no binary download or archive extraction.

⚠ Credentials

The SKILL.md requires an API key to authenticate to portal.toolweb.in but the skill metadata declares no required environment variables or primary credential. That mismatch is disproportionate: a network-backed assessment tool should explicitly declare how credentials are passed and which env var (or secret) it needs.

✓ Persistence & Privilege

Skill is not marked always:true and requests no system-level config or persistent presence. Autonomous invocation is allowed (platform default) but not combined with elevated privileges here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install enterprise-ai-security-controls-assessment
安装完成后，直接呼叫该 Skill 的名称或使用 /enterprise-ai-security-controls-assessment 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

- Major update: Skill rebranded and expanded from OT/ICS to Enterprise AI Security Controls Assessment. - Now covers 12 AI security domains (60 controls) such as Identity & Access, Prompt Injection Defense, API Security, Monitoring, Compliance, and more. - Inputs and outputs are standardized for enterprise AI security, including maturity ratings, gap analysis, prioritized remediation, and compliance alignment. - Detailed API reference, pricing tiers, and domain keys provided. - README file removed; core documentation is now in SKILL.md.

v1.0.0

- Initial release of Enterprise AI Security Controls Assessment. - Assess AI security posture across 12 enterprise domains with 60 total controls. - Generates domain-by-domain scorecards, control gap analysis, prioritized remediation roadmap, and executive summary. - Includes compliance mapping to NIST AI RMF, ISO 42001, SOC 2, and GDPR. - Provides a detailed API reference and transparent pricing plans.

元数据

Slug enterprise-ai-security-controls-assessment

版本 1.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题